Supersingular Endomorphism Rings: Algorithms and Applications

This thesis is about the endomorphism rings of supersingular elliptic curves, their applications in cryptography, and related algorithms. These algorithms and applications all involve an interplay between supersingular elliptic curves and quaternion algebras, which are related precisely through the endomorphism ring of the elliptic curves. We divide the contributions in this thesis into two cases. The first is concerned with efficient algorithms for translating quaternion ideals to their corresponding isogenies, and their cryptographic applications. More specifically, we give the first practical implementation of this ideal to isogeny translation which works for general primes, and expand the literature on creating special primes that make the ideal to isogeny translation easier. Finally, we apply the lessons learned in these contributions to the signature scheme SQIsign. This gives a SQIsign-variant that has particularly fast verification. The other case we consider is the algorithms, theory, and applications related to optimal embeddings (embeddings of quadratic orders into quaternion orders) and primitive orientations, which are optimal embeddings into the endomorphism rings of supersingular curves. The first contribution here is the asymptotically fastest algorithm for computing such embeddings. From this algorithm, we again derive other asymptotic improvements to algorithms for solving problems related to supersingular elliptic curves and their isogenies. For the second contribution, we generalise the theory of primitive orientations and show that the well-known class group action on oriented curves is a special case of a larger story involving generalised class groups and -level structures. The final contributions we give are practical improvements to the cryptographic primitive SCALLOP, which is based on this well-known class group action. By relaxing certain requirements on the class group structure, we get a significantly faster version of SCALLOP, which is also possible to instantiate at higher security levels than the original version.